Group items tagged

When ethical hackers track down computer criminals, do they risk prosecution themselves? Security researchers at this week's Usenix conference in Boston believe this is a danger, and that ethical hackers have to develop a uniform code of ethics for themselves before the federal government decides to take action on its own. One such researcher introduced himself by saying "Hi, I'm Dave Dittrich, and I'm a computer criminal." Dittrich, senior security engineer and researcher at the University of Washington's Information School, has not been unlucky enough to be prosecuted. But ten years ago, he took actions to disrupt distributed denial-of-service attacks which he says could have been construed as criminal, he says. Working within the University of Washington Network, Dittrich says he "copied files from one host in Canada that was caching malicious software and logs of compromised hosts," allowing him to gain a fuller understanding of the nascent distributed denial-of-service tools, and to inform the operators of infected Web sites that a problem existed.

It was only a matter of time! Auditor accuracy being examined in lawsuit may signal change in PCI and other compliance processes.

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor's report. In theory, CardSystems should have been safe. The industry's primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems' auditor, Savvis Inc, had just given them a clean bill of health three months before. Yet, despite those assurances, 263,000 card numbers were stolen from CardSystems, and nearly 40 million were compromised. More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices. They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies. "We're at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it," says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania's Wharton School who specializes in information security issues. "For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits." The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secur